Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.
-
Upload
kathy-doughty -
Category
Documents
-
view
217 -
download
2
Transcript of Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.
![Page 1: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/1.jpg)
slide 1
Don Porter
CS 380S
TOCTTOU Attacks
Some slides courtesy Vitaly Shmatikov and Emmett Witchel
![Page 2: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/2.jpg)
2
Definitions TOCTTOU – Time of Check To Time of Use Check – Establish some precondition
(invariant), e.g., access permission Use – Operate on the object assuming
that the invariant is still valid
Essentially a race condition Most famously in the file system, but can
occur in any concurrent system
![Page 3: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/3.jpg)
slide 3
UNIX File System Security
Access control: user should only be able to access a file if he has the permission to do so
But what if user is running as setuid-root?• E.g., a printing program is usually setuid-root in
order to access the printer device– Runs “as if” the user had root privileges
• But a root user can access any file!• How does the printing program know that the
user has the right to read (and print) any given file?
UNIX has a special access() system call
![Page 4: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/4.jpg)
4
TOCTTOU Example – setuid Victim checks file, if its good, opens it Attacker changes interpretation of file
name Victim reads secret file
if(access(“foo”)) {
fd = open(“foo”); read(fd,…); …}
Victim Attacker
symlink(“secret”, “foo”);
time
![Page 5: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/5.jpg)
slide 5
access()/open() Exploit
Goal: trick setuid-root program into opening a normally inaccessible file
Create a symbolic link to a harmless user file• access() will say that file is Ok to read
After access(), but before open() switch symbolic link to point to /etc/shadow• /etc/shadow is a root-readable password file
Attack program must run concurrently with the victim and switch the link at exactly the right time• Interrupt victim between access() and open()• How easy is this in practice?
![Page 6: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/6.jpg)
slide 6
Broken passwd
Password update program on HP/UX and SunOS (circa 1996)
When invoked with password file as argument…1. Open password file and read the entry for the
invoking user2. Create and open temporary file called ptmp in
the same directory as password file3. Open password file again, update contents and
copy into ptmp4. Close both password file and ptmp, rename
ptmp to be the password file
[Bishop]
![Page 7: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/7.jpg)
slide 7
TOCTTOU Attack on passwd
Create our own subdirectory FakePwd and fake password file pwdfile with blank root password; create symbolic link lnk->FakePwd; run passwd on lnk/pwdfile
1. Open password file and read the entry for the invoking userChange lnk->RealPwd to point to real password directory
2. Create and open temporary file called ptmp in the same directory as password file
ptmp is created in RealPwdChange lnk->FakePwd to point to fake password directory
3. Open password file again, update contents and copy into ptmpcontents read from FakePwd/pwdfile and copied to RealPwd/ptmp
Change lnk->RealPwd to point to real password directory4. Close both password file and ptmp, rename ptmp to password
fileNow RealPwd/pwdfile contains blank root password. Success!
![Page 8: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/8.jpg)
slide 8
Directory Removal Exploit
Recursive removal of a directory tree (GNU file utilities)Original tree is /tmp/dir1/dir2/dir3chdir(“/tmp/dir1”)chdir(“dir2”)chdir(“dir3”)unlink(“*”)chdir(“..”)rmdir(“dir3”)unlink(“*”)chdir(“..”)rmdir(“dir2”)unlink(“*”)rmdir(“/tmp/dir1”)
Suppose attacker executes “mv /tmp/dir1/dir2/dir3
/tmp” right here
This call will delete the entire root directory!
Fix: verify that inode of the directory did not change before and after chdir()
![Page 9: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/9.jpg)
slide 9
Temporary File Exploit
// Check if file already existsif (stat(fn,&sb)==0) { fd = open(fn, O_CREAT | O_RDWR, 0); if (fd<0) { err(1, fn); } }
Suppose attacker creates a symbolic link with the same name as *fn pointing to an
existing file
This will overwrite the file to which attacker’s link
points
![Page 10: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/10.jpg)
slide 10
Evading System Call Interposition
TOCTTOU and race conditions can be used to evade system call interposition by sharing state
Example: when two Linux threads share file system information, they share their root directories and current working directory• Thread A’s current working directory is /tmp• Thread A calls open(“shadow”); B calls
chdir(“/etc”)– Both look harmless; system monitor permits both calls
• open(“shadow”) executes with /etc as working directory– A’s call now opens “/etc/shadow” – oops!
Similar attacks on shared file descriptors, etc.
![Page 11: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/11.jpg)
Non-Filesystem Race Conditions
Sockets: create/connect races for local daemons• OpenSSH < 1.2.17
Symbolic links for Unix sockets• Plash
Signal handlers• See Zalewski – “Sending signals for Fun and
Profit”
slide 11
![Page 12: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/12.jpg)
12
TOCTTOU Vulnerabilities in Red Hat 9
Application TOCTTOU errors
Possible exploit
vi <open, chown> Changing the owner of /etc/passwd to an ordinary user
gedit <rename, chown>
Changing the owner of /etc/passwd to an ordinary user
rpm <open, open> Running arbitrary command
emacs <open,chmod> Making /etc/shadow readable by an ordinary user
• Jinpeng Wei, Calton Pu. FAST’05
National Vulnerability Database currently has 600 entries for symlink attack
![Page 13: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/13.jpg)
slide 13
How Hard Is It to Win a Race?
Idea: force victim program to perform an expensive I/O operation• While waiting for I/O to complete, victim will yield
CPU to the concurrent attack program, giving it window of opportunity to switch the symlink, working dir, etc.
How? Make sure that the file being accessed is not in the file system cache• Force victim to traverse very deep directory
structures (see Borisov et al. paper for details)
![Page 14: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/14.jpg)
Maze Attack
Replace /tmp/foo -> bar with:
slide 14
/tmp/foo -> 1/a/b/c/d/e/...-> 2/a/b/c/d/e/......-> k/a/b/c/d/e/...-> bar
![Page 15: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/15.jpg)
Maze Attack, cont.
1) Pollute OS cache with unrelated garbage2) Pick an arbitrary file in maze, poll atime3) On update, replace maze
slide 15
1a/a/b/c/d/e/...->2a/a/b/c/d/e/......->ka/a/b/c/d/e/...-> secret
/tmp/foo -> 1/a/b/c/d/e/...-> 2/a/b/c/d/e/......-> k/a/b/c/d/e/...-> bar
![Page 16: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/16.jpg)
slide 16
Maze Recap
Attacker must track victim’s progress• When to insert symlink?
After access started: • Monitor access time on a single directory entry
Before open:• Force disk reads during access
[Borisov et al.]
![Page 17: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/17.jpg)
How hard to prevent TOCTTOU?
No portable, deterministic solution with current POSIX filesystem API – Dean and Hu 2004
Tactics:1. Static checks for dangerous pairs (compile
time)2. Hacks to setuid programs (least privilege)3. Kernel detection and compensation
(RaceGuard)4. User-mode dynamic detection5. Change the interface
slide 17
![Page 18: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/18.jpg)
Hardness Amplification (Dean)
If probability of attacker winning race is p<1,
Essentially, do the access() n times and make sure they agree before doing the open()
But what about mazes?• p == 1
slide 18
![Page 19: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/19.jpg)
Take 2 – (Tsafrir ‘08)
Idea: Column-oriented traversal in userspace
/a/b/c/...
slide 19
a
a
a
...
b
b
b
c
c
c ...
...
...
n
k Insight: hard to force scheduling in same directory
Notes: User space Probabilistic
![Page 20: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/20.jpg)
Cai et al. ‘09
Idea: Algorithmic complexity attack on filesystem namespace
Forced victim to be descheduled at end of each syscall without mazes• Even in same directory
Paper also includes interesting scheduler priority manipulation
slide 20
![Page 21: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/21.jpg)
Linux dcache
“foo” hashes to 3 Pollute bucket 3
with garbage Victim burns
timeslice traversing very long hash chain
OS schedules attacker at end of syscall
slide 21
...
![Page 22: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/22.jpg)
Cai recap
Disproved intuition about column traversal Generalization: probabilistic
countermeasures unlikely to every work• Attackers likely to figure out how to single step
victim Deterministic solutions are the only
solutions
slide 22
![Page 23: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/23.jpg)
Tsafrir made Deterministic
Insight 2: Hardness amplification not necessary
Userspace traversal sufficient with *at() calls:fd1 = open(“/”);fstatat(fd1, &statbuf); // do some checksfd2 = openat(fd1, “a”);fstatat(fd2, &statbuf);// more checksfd3 = openat(fd2, “b”);... slide 23
![Page 24: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/24.jpg)
Caveats
Slower (many more syscalls) Incompatible with exec, O_CREAT
• Re-opens door to temp file attacks Still requires API changes
• openat(), fstatat(), etc.
slide 24
![Page 25: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/25.jpg)
How hard to prevent TOCTTOU?
Tactics:1. Static checks for dangerous pairs (compile
time)- Difficult in practice
2. Hacks to setuid programs (least privilege)- Most common fix for single app
3. Kernel detection and compensation (RaceGuard)
4. User-mode dynamic detection1. Probabilistic2. Deterministic – Requires API Changes, Incomplete
5. Change the interface- Most common approach to general problems slide 25
![Page 26: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/26.jpg)
In the last 2 years, 13 new system calls have been added to Linux to prevent TOCTTOU• openat, renameat, etc. all take file descriptors
In the last 3 years, new signal handling• pselect, ppoll change signal mask
Current proposals for close-on-exec flag to the open system call• Prevents a race between open and fcntl
(exploitable in a web browser) Cluttered and complicated APIs are the
enemy of secure code
Adapting the API
![Page 27: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/27.jpg)
Transactions Atomic: either the entire transaction
succeeds or fails Consistent: transactions represent a
consistent data structure update Isolated: partial results are not visible to
the rest of the system. This allows all transactions to be ordered (serialized).
Durable: they survive computer failures Transactions help us reason about
concurrency
![Page 28: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/28.jpg)
slide 28
Pseudo-Transactions
Observation: many sequences of filesystem operations are intended to be atomic• E.g., nothing should happen betw. access() and
open() Pseudo-transaction: a sequence of
filesystem calls that always behaves as if it were executed in isolation and free from interference• Very well-understood concept in databases
Idea: OS should recognize when a file transaction starts and prevent interfering system calls
[Tsyrklevich and Yee]
![Page 29: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/29.jpg)
slide 29
Tsyrklevich-Yee System
Look at 2-call sequences of filesystem calls• Implemented as a kernel module
Assume that first call starts a pseudo-transaction, second call ends it• Also need to time out misidentified transaction
starts Treat all filesystem operations originating
from the same process as part of same transaction• Assume process doesn’t maliciously interfere
with its own filesystem access• Assume fork()’d children run the same process
image
![Page 30: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/30.jpg)
…Also destroyed by Cai et al. ‘09
Kernel has finite resources to track fs operations
Idea: pollute the cache with enough garbage to evict first operation• Or manipulate scheduling for false timeout
Varies by implementation
slide 30
![Page 31: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/31.jpg)
System Transactions – SOSP ‘09
New system calls for transactions• sys_xbegin• sys_xend• sys_xabort
System calls within an active transaction• atomic: all or nothing• isolated: partial results invisible
Easy to adopt, just wrap code with transactions
Deterministic guarantees
![Page 32: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/32.jpg)
32
TOCTTOU Example Redux
Attack ordered before or after check and use• System transactions save the day
sys_xbegin();if(access(“foo”)) { fd = open(“foo”); sys_xend(); …
Victim Attacker
symlink(“secret”,“foo”);
symlink(“secret”,”foo”);
time
![Page 33: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/33.jpg)
33
Prototype
A version of Linux 2.6.22 modified to support system transactions• Affectionately called TxOS• Runs on commodity hardware• Supports a range of system calls
– fs, memory allocation, fork, signals
Reasonably efficient• Benchmark overheads: 1-2x• Some speedups!
![Page 34: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/34.jpg)
Questions?
porterde@cs
slide 34
![Page 35: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/35.jpg)
Preventing TOCTTOU Races
![Page 36: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/36.jpg)
slide 36
Typical Setuid-Root File Access
// Assume this is running inside some setuid-root programvoid foo(char *filename) { int fd; if (access(filename, R_OK) != 0) exit(1); fd=open(filename, O_RDONLY); … do something with fd …}
Check if user has the permission to read this
file
Open file for reading
What if the file to which filename points changed right here?
This is known as a TOCTTOU attack(“Time of Check To Time of Use”)
![Page 37: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/37.jpg)
slide 37
Fixing Race Conditions
Unsafe sequence has been detected. What now?
Roll back to state before transaction• Requires a heavy-duty file system
Lock out other processes when a “critical section” of filesystem operations is being executed• How to identify critical sections?• One process gets a lock on entire filesystem
(bad idea) “Delay-lock”: temporarily delay other
processes trying to access a locked file• How to calculate the right delay? What if
attacker wakes up before victim completes his file operation?
![Page 38: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/38.jpg)
slide 38
Allow every 2-call sequence except these:
ACCESS REMOVECHDIR REMOVEEXEC REMOVE
where REMOVE = UNLINK | RMDIR | RENAME
Default Allow Policy
![Page 39: Slide 1 Don Porter CS 380S TOCTTOU Attacks Some slides courtesy Vitaly Shmatikov and Emmett Witchel.](https://reader035.fdocuments.net/reader035/viewer/2022062619/551770bd5503460e6e8b4f42/html5/thumbnails/39.jpg)
slide 39
Deny any 2-call sequence except these:
PERMIT(OPEN_RW, OPEN_RW | ACCESS | UTIMES | CHDIR | EXEC |UNLINK | READLINK | CHMOD | CHOWN |
RENAME)PERMIT(OPEN_CREAT, OPEN_RW | ACCESS | UTIMES | CHDIR | EXEC |
RENAME_FROM)PERMIT(ACCESS, OPEN_RW | ACCESS | UTIMES | CHDIR | EXEC)PERMIT(EXEC, OPEN_READ | EXEC)PERMIT(CHDIR, OPEN_READ | CHDIR | ACCESS | READLINK)PERMIT(RENAME_FROM, OPEN_RW | ACCESS | UNLINK | RENAME_FROM)PERMIT(RENAME_TO, OPEN_RW)PERMIT(CHMOD | CHOWN, OPEN_RW | ACCESS | CHMOD | CHOWN)PERMIT(UTIMES, OPEN_RW | ACCESS | CHMOD | CHOWN)PERMIT(READLINK, READLINK)
Default Deny Policy